Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp2239915ybd; Mon, 24 Jun 2019 03:07:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqzE9D99sboJMhLR3JBD4TNErrG7eHbS/GS8RdW4o10+YQ06UjN/LpaAX3TN+SLLpQqd6D39 X-Received: by 2002:a17:902:b186:: with SMTP id s6mr36344514plr.343.1561370873337; Mon, 24 Jun 2019 03:07:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561370873; cv=none; d=google.com; s=arc-20160816; b=P/B6q8l8PAjB3yy6yNfPsPXICYixMZtEfM1YNSQnOs2ZqAysraKbaTNA8WvIDJdxIM 8Cm/McBKFzeCeilx5k5tHchSWxeoJgY2xXPs7K1Wmk5qCvfGlUuX8+LJqORWphZL/JCN EL0Vev7VGR5qwlYwIfiGrYj0XCZMY4JDehIUdAvJvDp+a3J8NAzkGdymUE/0i+L55dhP r3pRzh/p2XaUgo2dQW3EPGR/CpMBBlXbygvsvn/yw7l9T9kk4cXgeze5QBdqavOBJV9c +w3LcHxaj269gPloWh8OdOuYaLd+RXzGCH+RDp5HoJ7rewsuiUWeHSvtoVnJae7ggCks EURA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1EmUYrPs82PyU14FaA8mChGqYUjyv4sBl+O+5MCWIb0=; b=XaERLpWq1Cg3OZ6BLr7dJ/ieen4gm1dV30uuqg5naowfjkU7bMNBzQy0LEUNTZKMyd CYwjZHZf3uOy0U9XjP7wYibKs4Gwn7WduE7POymx+qMfWMY4zpamu21mZ0m9AcAViYWE zqczS/hHLZbTavYrjQQ54f6+7lOZqG+xaLhXPDxuzNi42Wuxj30MxTRcUyzJ/0DNbA5x tihZrDb40tq9USW6VnO3J+UO522SUuxsOn3U8lwD7rRfCnYrI3YklNgJ3aIl1EyuSxas LvFuz2rneNxRwrR8JRZg0PK9NWIbZ5++NdyqKbrPz89ZMUTKCEPcMX64b2tQs4JZidSk w8yw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kVgq8SLL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ci5si9883701plb.45.2019.06.24.03.07.37; Mon, 24 Jun 2019 03:07:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kVgq8SLL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730177AbfFXKGp (ORCPT + 99 others); Mon, 24 Jun 2019 06:06:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:39038 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730156AbfFXKGl (ORCPT ); Mon, 24 Jun 2019 06:06:41 -0400 Received: from localhost (f4.8f.5177.ip4.static.sl-reverse.com [119.81.143.244]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8372A208E3; Mon, 24 Jun 2019 10:06:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1561370801; bh=SVo2cDBHNSPxRRWoOWenBYh5CpjtewbwIcvBbQUS6gM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kVgq8SLLj9ZJGK0YJAxC868Esh5e/agVjFYga1JMqrAfreZ1o5tf5uXvEvk1K5qFV h2YIgLbmFJa1CVoo4eAVVI/tnRBXikdwsTvr2wTCu9NCWsrGCVj/3HiEpYCZ83TDt9 23fRVKd5GX0HWOZN9MUyu7L6E2Ay5qhB/zWK2SuU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jouni Malinen , Johannes Berg Subject: [PATCH 4.19 89/90] mac80211: Do not use stack memory with scatterlist for GMAC Date: Mon, 24 Jun 2019 17:57:19 +0800 Message-Id: <20190624092319.705373660@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190624092313.788773607@linuxfoundation.org> References: <20190624092313.788773607@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jouni Malinen commit a71fd9dac23613d96ba3c05619a8ef4fd6cdf9b9 upstream. ieee80211_aes_gmac() uses the mic argument directly in sg_set_buf() and that does not allow use of stack memory (e.g., BUG_ON() is hit in sg_set_buf() with CONFIG_DEBUG_SG). BIP GMAC TX side is fine for this since it can use the skb data buffer, but the RX side was using a stack variable for deriving the local MIC value to compare against the received one. Fix this by allocating heap memory for the mic buffer. This was found with hwsim test case ap_cipher_bip_gmac_128 hitting that BUG_ON() and kernel panic. Cc: stable@vger.kernel.org Signed-off-by: Jouni Malinen Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/mac80211/wpa.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/net/mac80211/wpa.c +++ b/net/mac80211/wpa.c @@ -1175,7 +1175,7 @@ ieee80211_crypto_aes_gmac_decrypt(struct struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); struct ieee80211_key *key = rx->key; struct ieee80211_mmie_16 *mmie; - u8 aad[GMAC_AAD_LEN], mic[GMAC_MIC_LEN], ipn[6], nonce[GMAC_NONCE_LEN]; + u8 aad[GMAC_AAD_LEN], *mic, ipn[6], nonce[GMAC_NONCE_LEN]; struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; if (!ieee80211_is_mgmt(hdr->frame_control)) @@ -1206,13 +1206,18 @@ ieee80211_crypto_aes_gmac_decrypt(struct memcpy(nonce, hdr->addr2, ETH_ALEN); memcpy(nonce + ETH_ALEN, ipn, 6); + mic = kmalloc(GMAC_MIC_LEN, GFP_ATOMIC); + if (!mic) + return RX_DROP_UNUSABLE; if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce, skb->data + 24, skb->len - 24, mic) < 0 || crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) { key->u.aes_gmac.icverrors++; + kfree(mic); return RX_DROP_UNUSABLE; } + kfree(mic); } memcpy(key->u.aes_gmac.rx_pn, ipn, 6);